Tag Archives: security

Post navigation

On the same day as the Telecommunications Regulatory Authority (TRA) of the United Arab Emirates (UAE) announced a ban on BlackBerry Messenger, E-Mail and Web-browsing services from 11 October 2010, the Emirates News Agency (ENA) published a comparative law paper on aspects of US, UK and UAE telecommunications law (see pervious post Blast! BlackBerry blanked for links). No author is cited on the ENA study, but it seems to imply that the banning of BlackBerry services by the TRA UAE was a regulatory measure that could have been taken appropriately and proportionately by Ofcom under UK telecommunications law.

In this post I set out why I consider this to be a fundamentally mistaken analysis.

Section 132 Communications Act 2003

The UK analysis begins with a discussion of section 132 of the Communications Act 2003, which permits the Secretary of State, upon reasonable grounds where considered necessary to protect against threats to public safety, public health or in the interests of national security, to order that certain networks or services are suspended or restricted. Immediately it can be seen that the grounds upon which the Secretary of State can act are more narrow than in the UAE, where the TRA UAE can act on the grounds of public interest. As the provision states that the Secretary of State must only act on reasonable grounds, by implication these must also be published.

Further weight is given to this implied obligation of the Secretary of State (and Ofcom) to publish their reasons for acting from the fact that this section has its roots in European Union law. The Explanatory Notes that were published with the Communications Bill in the House of Lords state that the clause which was enacted as section 132 was the UK expression of the derogation permitted at Article 3(1) of the Authorisation Directive 2002/21/EC. This only permits member states of the EU to suspend or restrict networks or services as set out at Article 52(1) TFEU (formerly Article 46(1) TEC), being the public safety, public health and national security grounds. However, Recital (4) of the Authorisation Directive makes clear that it provides for a regulatory regime which allows operators to “benefit from objective, transparent, non-discriminatory and proportionate rights, conditions and procedures”.

Once ordered, Ofcom is required to give operators directions to implement the Secretary of State’s order. It should be noted that section 132 (and its sister section, section 133) come under the heading of “Powers to deal with emergencies“. Headings in statutes in UK legislation can be used as extrinsic aids to interpretation. Given that other provisions in the Communications Act 2003 and elsewhere provide the regulatory means to obtain communications data or traffic data (which phrases have specific meaning under UK telecommunications law) routinely, a UK court would be likely to find that section 132 only applied to urgent threats requiring imminent action. It is unlikely that a perceived threat that has been in existence since the introduction of BlackBerries, at least since June 2007 for BlackBerry 8800 or December 2009 for BlackBerry Bold for Etisalat, would be considered to be an emergency.

Enforcement Powers of Ofcom

As the UK has an authorisation regime, all communications providers must comply with general conditions made by Ofcom under section 45 of the Communications Act 2003. These are analogous to standard licence conditions for licensed operators. The ENA paper describes Ofcom’s suspension powers following breaches of these general conditions, as well as conditions dealing with premium rate services or provisions concerning the supply of requested information to the regulator. This is largely irrelevant when considering the TRA’s actions, other than to note that Ofcom can under certain circumstances order the suspension of services. However, under UK administrative law, any Ofcom order to suspend services made without reasoning that showed their regulatory action to be objective, transparent, non-discriminatory and proportionate would immediately be vulnerable to an appeal to the Competition Appeal Tribunal (under section 192 of the Communications Act 2003). Merely stating that a direction was made upon the grounds of public safety, public health or national security would not be sufficient. No regulatory intervention could be made under UK law on public interest grounds alone.

Interception

The EMA paper faithfully sets out the interception of communications regime under UK telecommunications law. It notes that interception by a public telecommunications operator in accordance with the terms of a properly authorised warrant is lawful, and notes that public telecommunications operators are required to maintain interception capabilities. Where necessary, encryption keys and decryption technologies must also be disclosed in order to enable the relevant persons to decrypt interception information obtained by them under a warrant.

Right to Privacy

The starting point for UK telecommunications law on access to communications or traffic data is the right to privacy, which is set out in the Human Rights Act 1998. This incorporates the European Convention of Human Rights into UK law. Article 8 of the Convention states:

Article 8 – Right to respect for private and family life

1. Everyone has the right to respect for his private and family life, his home and his correspondence.

2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

It is extremely difficult to imagine the circumstances that would need to exist in the UK so that a provision similar to the TRA’s Article 11.1 of the Policy on Radiocommunications dated 23 July 2008, which prohibits the use of any encryption techniques unless authorised by TRA, would be considered “necessary in a democratic society”.

Divergent Approaches

The laws of the UK start with the presumption that encryption is lawful and permitted. A regulatory mechanism exists to enable the relevant authorities to obtain access to encrypted communications, and the encryption keys and decryption technologies, where necessary and on an exception basis, in order to monitor or intercept certain communications in the interests of public safety, public health and national security subject to justiciable warrants (see Part IV of the Regulation of Investigatory Powers Act 2000).

The UK system has recently (18 May 2010) been the subject of a ruling of the European Court of Human Rights (in the case of Kennedy v United Kingdom (Application 26839/05)), where it was determined to be consist with Article 8(2) of the Convention. The case also illustrates how a citizen can challenge an interception warrant.

The TRA UAE Policy on Radiocommunications describes a fundamentally different approach. In UAE the default presumption appears to be that encryption is not lawful or permitted. It is only permitted by the TRA or competent authorities where the encryption is determined not to be a threat to public interest, safety or national security.

Conclusion

In summary, the UK approach is that communications are a private matter, with the default position that all encryption or signalling methods being lawful unless subject of specific direction in order to protect against threats to public safety or public health or in the interests of national security.

In contrast, the UAE approach is that communications are not a private matter, with the default position that any form of encryption is not lawful, unless permitted by the TRA UAE. Permission will not be granted if TRA UAE consider that refusing permission would be in the public interest, safety or national security interest. This is not to suggest that this default position and regulatory approach is wrong, it just tackles the question of lawful encryption in a fundamentally different way from the UK.

What is wrong is to imply that the UAE and UK telecommunications regimes are in any way equivalent or comparable, given these diametrically opposed starting points, merely because both systems provide regulators with similar emergency and enforcement powers. The approaches to privacy, and the systems that implement them, are as different as chalk and cheese.

Mid Staffs NHS Foundation Trust is one of the latest organisations to agree to give an undertaking to the Information Commissioner as a result of a data protection security breach. However, the circumstances of the breach are, we suspect, so routine that almost all organisations could learn from it.

This was not the standard “lost/stolen laptop” or “lost USB key” breach, but involved an eager member of the Trust’s (human resources) staff sending (sensitive) personal data to a home computer to finish off some work at home. The personal data was not encrypted or secured by a password. This transfer was in breach of the Trust’s policy, but the lack of physical security measures to prevent the transfer was heavily criticised.

The HSBC case highlights yet again the lack of enforcement powers given to the Information Commissioner under the Data Protection Act 1998. It also highlights the lack of regulatory powers the ICO has to set data protection rules. After all, HSBC was fined by the FSA for breach of FSA rules, not for breach of any legislation.

This is demonstrated in the Ian Kerr case. Although this involved systematic and blatant breaches of the data protection principles, including in respect of the processing of sensitive personal data (trade union membership), the prosecution was for the offence of not being notified to the Information Commissioner. However, a fine at the top of the scale was imposed by the court.

When no statutory offences have been committed, the Information Commissioner must fall back on the enforcement notice powers and the more recent innovation of getting data controllers to volunteer undertakings rather than be made the subject of an enforcement notice, as shown by Highland Council.

The Highland Council case on the face of its facts may be argued to be a little harsh. It concerned the theft of 2 password-protected laptops from a locked office. The laptops had personal data for over 1,400 individuals, including sensitive personal data (medical information). The key point, however, is that the laptops were unencrypted. This is yet another reminder that no-one using unencrypted laptops for personal data should expect any leniency from the Information Commissioner if they go missing.

Amicus Legal Limited is the latest in a long line of organisations being caught out by wandering laptops or USB keys: see the Information Commissioner’s Enforcement Page.

It’s another case of a laptop theft – this time a consultant’s laptop from a hotel room. As often is the situation, the laptop was unencrypted and belonged to a third party data processor. However, it’s the “owner” of the lost data, the data controller, that gets it in the neck.

These 7th Data Protection Principle breaches are getting so common, you’d think there would not be an unencrypted business-user’s laptop left in the European Union. The Information Commissioner’s patience has got to be wearing thin. They’ll be heavy fines in this area, once those sections 55A – 55E of the Data Protection Act 1998 are brought into effect!